I am using HDIV in my project for securing from OWASP list but text boxs are accepting <script>alert(1);</script> as an input and saving to db.
I want to write test case for all OWASP issue.
Below are the project configuration
web.xml Configuration
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
WEB-INF/spring/applicationContext-db.xml
WEB-INF/spring/spring-security.xml
WEB-INF/spring/hdiv-config.xml
</param-value>
</context-param>
webmvc-config.xml Configuration
<import resource="applicationContext-hdiv.xml" />
applicationContext-hdiv.xml Configuration
<beans>
<bean id="requestDataValueProcessor" class="org.springframework.security.web.servlet.support.csrf.CsrfRequestDataValueProcessor" />
<bean id="editableValidator" class="org.hdiv.web.validator.EditableParameterValidator"/>
<mvc:annotation-driven validator="editableValidator" />
</beans>
hdiv-config.xml Configuration
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:hdiv="http://www.hdiv.org/schema/hdiv" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.hdiv.org/schema/hdiv http://www.hdiv.org/schema/hdiv/hdiv.xsd">
<hdiv:config excludedExtensions="css,js,ttf" errorPage="/manage/security-error" maxPagesPerSession="10" confidentiality="true" strategy="memory" randomName="true">
<hdiv:sessionExpired loginPage="/main/common" homePage="/"/>
<hdiv:startPages method="get">/,/.*,/manage/.*,/login</hdiv:startPages>
</hdiv:config>
<hdiv:validation id="customValidation" componentType="text">
<hdiv:acceptedPattern><![CDATA[^[a-zA-Z0-9#.\-_]*$]]></hdiv:acceptedPattern>
<hdiv:rejectedPattern><![CDATA[(\s|\S)*(--)(\s|\S)*]]></hdiv:rejectedPattern>
</hdiv:validation>
<hdiv:editableValidations registerDefaults="true">
<hdiv:validationRule url=".*" enableDefaults="false">customValidation</hdiv:validationRule>
</hdiv:editableValidations>
</beans>
XSS is an output problem, not an input problem. Input validation is about making sure data is correct according to the domain. So for instance you want to check that a field expecting to take a year actually receives a number within the expected range. You may also want to make sure that only allowed characters are in use. And in many cases this will stop many attacks.
However for complex inputs, this is no longer viable. Consider a text field where you want to allow users to comment. The user should be allowed to to write a comment such as "An hence x < 4". Now we are allowing characters used to build html tags.
Now we have two options:
Use a tool to strip out dangerous HTML - likely to fail at some point
Use context aware escaping as described in the OWASP XSS prevention cheat sheet
Remove 'requestDataValueProcessor' and 'editableValidator' beans from 'applicationContext-hdiv.xml' file, they are automatically created by tag.
Have a look at this project configuration for a working example:
https://github.com/hdiv/hdiv-spring-mvc-showcase
Related
I am going to deploy a jsf2.1(jsf2.1+spring3+primface-3.0.M3) project to weblogic 12c(jdk1.8).
Its a long story to make it work in weblogic12c,but there are still some problems,such as <f:validateRegex component, it always checked no matter whether there is empty or not,but it works fine in weblogic10.3.6(jdk1.7)
How can i fix it without change the pattern or other attributes?
My code:
<f:validateRegex pattern="^[0-9a-zA-Z;\s\r\*]+$" />
My weblogic.xml:
<?xml version="1.0" encoding="UTF-8"?>
<weblogic-web-app xmlns="http://xmlns.oracle.com/weblogic/weblogic-web-app">
<container-descriptor>
<prefer-web-inf-classes>false</prefer-web-inf-classes>
<prefer-application-packages>
<package-name>javax.faces.*</package-name>
<package-name>com.sun.faces.*</package-name>
<package-name>com.bea.faces.*</package-name>
<package-name>net.sf.cglib.*</package-name>
<package-name>javax.annotation.*</package-name>
<package-name>org.primefaces.*</package-name>
</prefer-application-packages>
<prefer-application-resources>
<resource-name>javax.faces.*</resource-name>
<resource-name>com.sun.faces.*</resource-name>
<resource-name>com.bea.faces.*</resource-name>
<resource-name>META-INF/services/javax.servlet.ServletContainerInitializer</resource-name>
<resource-name>META-INF/services/com.sun.faces.spi.FacesConfigResourceProvider</resource-name>
<resource-name>META-INF/resources/javax.faces/jsf.js</resource-name>
<resource-name>META-INF/resources/javax.faces/jsf-uncompressed.js</resource-name>
</prefer-application-resources>
<!-- <prefer-web-inf-classes>true</prefer-web-inf-classes> -->
</container-descriptor>
</weblogic-web-app>
Thanks for your reading.
To avoid validation of empty field you can add this parameter to your web.xml (works in jsf 2.1)
<context-param>
<param-name>javax.faces.VALIDATE_EMPTY_FIELDS</param-name>
<param-value>false</param-value>
</context-param>
In this post you can find some explanation and many others parameters.
I need to have the 'HttpOnly' and 'Secure' attributes set to 'true' to prevent the CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute and CWE-402: Transmission of Private Resources into a New Sphere flaws from showing in the Veracode report.
After doing some online searching, it seems that the best thing to do is to simply set the attributes in the project's web.xml file as follows:
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
However, I get an error message on the opening tag saying that "The content of element type "session-config" must match "(session-timeout)?".
I'm not sure what that means exactly. I'm guessing it has something to do with the order of elements but I don't really know how to fix it.
Any thoughts?
Thanks!
The support for secure and http-only attribute is available only on http-servlet specification 3. Check that version attribute in your web.xml is "3.0".
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
I'm studing by few days Spring Integration and in some example i've noticed the use of channel and int:channel.
What is the difference ?
In the same way, there are other keywords: someone start with int: and other (with the same name) are not.
It just depends on how you configure the namespaces at the top of the XML file, and specifically the default xmlns. In the first case, the integration schema is the default, in the second, something else is, usually beans...
<beans:beans xmlns="http://www.springframework.org/schema/integration"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
...
In this case, integration is the default xmlns and you would use
<channel ...
and
<beans:bean ...
here...
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:int="http://www.springframework.org/schema/integration"
...
beans is the default xmlns and you would use
<int:channel...
and
<bean ....
So, it's simply a matter of personal choice.
I don't know if this has a solution or is an IDE enhancement, but, when I'm using primefaces components in Netbeans, the autocomplete suggest the taglib p:..., no matter the id is http://primefaces.org/ui (should suggest pou), but if you're using primefaces extensions instead give pe as the showcase, gives poue.
So, now, I created a custom tag lib with id http://zeitek.net/ui, but as extensions is suggested znu, I know I can change it manually, but since is a collaborative project, I would like to use ztk as the predefined prefix to keep the standard in the code, is there anyway to achieve this with a JSF parameter or Netbeans configuration?
Well, if someone need this, i was missing this:
You need to create a tag-lib like normal and add this param:
<facelet-taglib
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-facelettaglibrary_2_0.xsd"
version="2.0"
id="zinf">
<namespace>http://zeitek.net/infraction/jsf/ui</namespace>
<composite-library-name>zinf</composite-library-name>
The last part is the important one: < composite-library-name>zinf< /composite-library-name>
I am using JSF and I want to use message bundles so I added the XML configuration below. Now I wonder if someone could write some experiences they had when using them. Is it best practice to have one big properties file that contain all translation on the page, if so how do you name your keys. If not, then I guess you have multiple resource files, how do you structure them - what part of the page do they provide messages for? - and any naming practices?
I know this may be subjective but it could be valuable insights for me anyway.
<application>
<resource-bundle>
<base-name>com.myapp.blah</base-name>
<var>msgs</var>
</resource-bundle>
</application>
I suggest you begin with the single File approach, one per language. If it grows in a level that you simply can't manage anymore, thousands of lines, than you might split it.
Then you can internationalize your pages using a template that will have:
<f:view locale="#{userBean.userLocale}">
and you can enable a select component to hold the available languages for the users to switch:
FacesContext.getCurrentInstance().getViewRoot().setLocale(locale);
and in faces-config.xml:
<application>
<locale-config>
<default-locale>pt-br</default-locale>
<supported-locale>en</supported-locale>
</locale-config>
<resource-bundle>
<base-name>com.myapp.blah.ApplicationResources</base-name>
<var>msg</var>
</resource-bundle>
...
then you shall have one file per language:
ApplicationResources.properties
ApplicationResources_en.properties
ApplicationResources_pt_BR.properties